How a single criminal hacking group held Canadian casinos and mining companies ransom

A FireEye information analyst works in front of a screen showing a near real-time map tracking cyber threats at the company office in Milpitas, Calif., in December 2014. (Beck Diefenbach/Reuters)

Matthew BragaSenior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News. He was previously the Canadian editor of Motherboard, Vice Media's science and technology website, and a business and technology reporter for the Financial Post.
Email: matthew.braga@cbc.ca

A "financially motivated" and digitally-savvy criminal hacking group has spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data and holding it for ransom.

The group, dubbed FIN10 by the cybersecurity company FireEye, began operating as early as 2013, continued until at least 2016, and has not been identified before, investigators said.

Charles Prevost, one of the investigators and a senior manager at FireEye's security consulting practice Mandiant, said they "have no idea why" FIN10 had seemingly chosen to target only Canadian mines and casinos. He could not attribute FIN10 to a particular country or location — a notoriously difficult problem in cybersecurity investigations — but noted that its members appeared to be native English speakers, despite attempts to appear otherwise.

According to FireEye's report, released today, the attacks targeted sensitive files such as corporate records, private communications and customer information. After stealing the data from the victims' computers, the investigators say the hackers demanded ransoms of between 100 and 500 bitcoin — about $35,000 to $170,000 Cdn.

A security expert says investigators have 'no idea' why a newly identified hacking group has gone after Canadian mining companies and casinos over the last three years — holding stolen data for ransom and turning off essential systems of uncooperative victims. (Jean Luis Arce/Reuters)

The group then threatened to release some of the stolen data to the public if no payment was received within 10 days, and to release more data if there was still no payment three days later.

FIN10 also wreaked havoc on targets who did not meet their demands "by essentially shutting off production systems so that the mine or casino couldn't operate for a period of time," according to Charles Carmakal, another investigator and Mandiant vice president, resulting in "real" but unspecified revenue loss.

In one case, the attackers hid their code in a malicious webpage claiming to be an updated holiday schedule for staff. In another, they disguised a malicious Microsoft Word document as an employee questionnaire.

However, unlike the Russian-backed groups that frequently dominate headlines, Prevost said FIN10's tools and techniques were "very far from the state-sponsored type of activity that we investigate" — meaning the group used easily available "penetration testing tools" with names like Metasploit, PowerShell Empire and SplinterRAT.

Three Canadian casino operators suffered highly publicized data breaches last year — one of which, Cowboy’s Casino, had stolen information published online just this past week. It is not known if the hacking group FIN10 was behind the breach. (Robert F. Bukaty/The Associated Press)

Those tools allowed FIN10 to gain a foothold into its targets' networks, remove data and run basic commands that deleted important operating system files — effectively knocking out casino money handling computers, critical mining databases and systems that were required to let employees log into their workstations.

The attackers "scheduled them just like a timebomb," Prevost said — in one client's case, taking 60 critical systems offline overnight.

Who were the victims?

Carmakal said FireEye's report involved "less than 10" companies, but would not specify how many. FireEye also declined to name any of the companies that were targeted, citing confidentiality agreements with the victims. But previous breaches offer some possible clues.

In the mining industry, both Goldcorp and Detour Gold Corporation have suffered data breaches in recent years, and seen gigabytes of personal information published online — including employee's personal contact and financial information.

Earlier this week, some of the information from the Cowboy's Casino breach — specifically, customer's personal information and information on gambling habits and payouts — was posted online.

It's not clear if the casinos or mines mentioned in previous reports are also part of FireEye's report, and the company wouldn't say. It was reported by the Financial Times that FireEye was investigating the the River Cree Resort incident, but the company also would not confirm whether the incident was part of the company's report.

Corrections

A previous version of this story misstated the current value of bitcoin in Canadian dollars. The criminal group demanded ransoms of between 100 and 500 bitcoin — about $350,000 to $1,700,000 Cdn today, and not $35,000 to $170,000 Cdn as initially reported.